Stores > Settings > ConfigurationSecurity > Security.txt



Field Scope Description
Enable Website When enabled, a security.txt file is saved that contains information that is needed by security researchers to report potential vulnerabilities to you. Options:
Yes - Creates the security.txt file based on information entered in the Contact information and Other information sections.
No - (default) Does not create the security.txt file.

Contact information

Contact Information

Field Scope Description
Email Website The email address where security reports can be sent.
Phone Website A phone number that can be used to report security concerns.
Contact Page Website The URL of a page on your site that lists security contacts, or your Contact Us page. Examples:

Other information

Other Information

Field Scope Description
Encryption Website A URL that points to the location of an encryption key that security researchers can use to send encrypted communications. Do not enter the encryption key in this field.

It is the responsibility of the researcher to verify that the key is from a trustworthy source. Researchers must not assume that the key is the same as that used to generate the digital signature. Example:
OpenPGP key from web server -
Acknowledgements Website A URL that points to a page in your store where security researchers are acknowledged, such as To prevent future attacks, include only a general description without revealing specific information about vulnerability issues. Example:
We would like to thank the following researchers:
(yyyy/mm/dd) Justin Thyme - SQL injection
Preferred Languages Website Specifies at least one preferred security reporting language. Separate multiple two-character language codes with a comma. All specified languages have the same priority. For example, to specify English, Spanish, and French, enter en, es, fr.
Hiring Website The URL of a page on the site that lists security-related job positions. Example:
Policy Website The URL of the page that describes your security policy and vulnerability reporting practices. Example: Default:
Signature Website A link to your digital signature file. The digital signature must be generated from the command line, and is saved in the .well-known folder on the server. For more information, see Security.txt on GitHub. Example: